Is Public Health the Model for Securing the Internet of Things?

Global cooperation and focus on basic hygiene may be a model for securing the Internet of Things, says the FCC’s CIO David Bray. (Image courtesy of the UN.)

In-brief: are public health initiatives the best model for securing the Internet of Things? David Bray, the CIO for the Federal Communications Commission thinks they may be.

One of the big challenges in securing the Internet of Things is how to adjust to the scale and diversity that the IoT brings. To put it simply: most of our security tools and processes were developed for a much smaller and more homogenous Internet – one of some billions of devices, most of them laptops, desktops, servers, routers, switches and – lately – mobile phones.

As we’ve written here on many occasions, the IoT represents a break with that history. It simultaneously adds a whole host of new, previously unconnected endpoints to the ‘net – from wearables to connected infrastructure like roads and street lamps. At the same time, it bridges the air gap to a lot of legacy infrastructure: from building management and environmental controls to industrial control systems.

How does one police or, more appropriately, care for that kind of far-flung and diverse ecosystem? It’s an open question. But there are lots of ideas, and most of them look ‘outside the box’ of classical IT management for inspiration.

But, as in public health, securing the IoT may be a project in which small and seemingly insignificant acts – like hand washing, or using mosquito nets – can have a huge, beneficial impact. He argues for something like a “cyber public health approach” that is described as a “mashup of cyber personal hygiene and cyber epidemiology” (two disciplines that don’t currently exist, we should note.)

“If we think of the Internet as a series of digital ecosystems where participants need to assume some responsibility for making sure they’re doing their best to keep their Internet devices clean and secure – the digital equivalent of washing their hands – then we can also imagine the need for cyber epidemiology when individual hygiene is insufficient in preventing a mass ‘outbreak’ or individual infection,” Bray said.

Sounds good – but what does that look like, practically? That’s where things get a bit fuzzy. Bray, who has been traveling the globe to research this issue as an Eisenhower Fellow, said that international leaders in places like Taiwan and Australia that he has consulted with are mostly voluntary and rely on verbose sharing of (anonymous) information on emerging threats. Bray talks about a “real-time clearinghouse of voluntarily submitted data about the cyber ‘health’ of the Internet across multiple devices.”

This has an analog in public health, where officials at the state and federal level will report on outbreaks or even just instances of communicable diseases, and where there is clear protocol on how to respond to one-off instances, small outbreaks, larger outbreaks and epidemics.

What kind of data is shared? This is vague, but the article mentions “masked, de-identified data regarding abnormal behaviors they’re seeing on their firewalls, routers, and other devices.”

Importantly – this should be “voluntary,” Bray notes. Governments and cooperating organizations would take part in data submission in a “voluntary, open, opt-in model.” Done at scale and with the proper analysis, Bray believes that the collected information about outbreaks and malicious activity could allow responsible organizations to act early on emerging threats.

But Mital was skeptical of the applicability of public health models to a population as big and diverse as the Internet of Things. “IoT devices hardware and processing constraints make current endpoint protection models (“vaccination”) impossible,” Mital wrote. His solution: “security by design. To continue with our public health analogy, think about this as genetically engineered immunity instead of vaccination.”

Author: PaulI'm an experienced writer, reporter and industry analyst with a decade of experience covering IT security, cyber security and hacking, and a fascination with the fast-emerging "Internet of Things."